Shulou(Shulou.com)05/31 Report--

This article mainly shows you the "sample analysis of malware written with Golang", which is easy to understand and clear. I hope it can help you solve your doubts. Let the editor lead you to study and learn the article "sample analysis of malware written in Golang".

For reference, study and use only

Golang (Go) is a relatively new programming language, and malware written by it is found to be uncommon. However, new variants written in Go are slowly emerging, posing challenges for malware analysts. Applications written in this language are large and look very different under the debugger from those compiled in other languages, such as C / C +.

Recently, we observed a new variant of Zebocry malware written in Go (a detailed analysis is available here). We captured another malware written in Go in the lab. This time, we think of Trojan.CryptoStealer.Go as a very simple stealing program. This article describes its functionality in detail and shows the methods and tools that can be used to analyze other malware written by Go.

Analytical sample

Malwarebytes detects this theft program as Trojan.CryptoStealer.Go:

992ed9c632eb43399a32e13b9f19b769c73d07002d16821dde07daa231109432

513224149cd6f619ddeec7e0c00f81b55210140707d78d0e8482b38b9297fc8f

941330c6be0af1eb94741804ffa3522a68265f9ff6c8fd6bcf1efb063cb61196-HyperCheats.rar (original installation package)

3fcd17aa60f1a70ba53fa89860da3371a1f8de862855b4d1e5d0eb8411e19adf-HyperCheats.exe (UPX shell)

0bf24e0bc69f310c0119fc199c8938773cdede9d1ca6ba7ac7fea5c863e0f099-after shelling

behavior analysis

At the bottom, Golang calls WindowsAPI, and we can use typical tools to track its calls, such as the PIN tracker. We found that malware searches for files in the following path:

"C:\ Users\ tester\ AppData\ Local\ Uran\ User Data"C:\ Users\ tester\ AppData\ Local\ Amigo\ User\ User Data\"C:\ Users\ tester\ AppData\ Local\ Torch\ User Data\"C:\ Users\ tester\ AppData\ Local\ Chromium\ User Data"C:\ Users\ tester\ AppData\ Local\ Nichrome\ User Data"C:\ Users\ tester\ AppData\ Local\ Google\ Google\"C:\ Chrome\ Chrome AppData\ Local\ 360Browser\ Browser\ User Data\ "" C:\ Users\ tester\ AppData\ Local\ Maxthon3\ User Data\ "" C:\ Users\ tester\ AppData\ Local\ Comodo\ User Data\ "" C:\ Users\ tester\ AppData\ Local\ CocCoc\ Browser\ User Data\ "C:\ Users\ tester\ AppData\ Local\ Vivaldi\ User Data\" C:\ Users\ tester\ AppData\ Roaming\ Opera Software\ "C:\ Users\ Users\ tester\ tester\ AppData\" "C:\ Users\ tester\ AppData\ Local\ Comodo\ Dragon\ User Data\"C:\ Users\ tester\ AppData\ Local\ Sputnik\ Sputnik\ User Data\"C:\ Users\ tester\ AppData\ Local\ Google (x86)\ Chrome\ User Data\"C:\ Users\ tester\ AppData\ Local\ Orbitum\ User Data\"C:\ Users\ tester\ AppData\ Local\ Yandex\ YandexBrowser\ User Data\" C:\ Users\ tester\ tester\ AppData\ AppData\ AppData

These paths point to data stored from the browser. An interesting fact is that one of the paths points to the Yandex browser, which is mainly popular in Russia. All files found in the next search path "C:\ Users\ tester\ Desktop\ *" are copied to a folder created in% APPDATA%: the "Desktop" folder contains all TXT files copied from the desktop and its subfolders. Our test machine example: after the search is complete, the file is compressed: we can see that this packet is sent to the ClearC server (cu23880.tmweb.ru/landing.php): internal Golang-compiled binaries are usually large, so it is not surprising that the samples are compressed with UPX packaging. We take it out of its shell. You get a simple Go binary. The export table shows the compilation path and some other interesting functions: if you look at the exported data, you can learn about the static libraries used internally. Many of these functions (related to trampoline) can be found in the module sqlite-3:

. The function crosscall2 comes from the Go runtime, which is related to calling Go from the C _ https://golang.org/src/cmd/cgo/out.go) + application (https://golang.org/src/cmd/cgo/out.go)).

Tools

For analysis, I used IDA Pro and the script IDAGolangHelper written by George Zaytsev. First, the Go executable must be loaded into IDA. We can then run the script from the menu (File-> script file). Then we will see the following menu with access to specific features: first, we need to determine the Golang version (the script provides some useful heuristics). In this case, it will be Go 1.2. We can then rename the function and add the standard Go type. After doing this, the code looks more readable. Below, you can see the view of the function before and after using the script. Before (only exported functions are named): after (most functions automatically resolve and add their names): many of these features come from static link libraries. Therefore, we need to focus on functions that are annotated as main_*- specific to a specific executable.

Code Overview

In the function "main_init", we can see the modules that will be used in the application:

It is statically linked to the following modules:

GRequests (https://github.com/levigross/grequests)

Go-sqlite3 (https://github.com/mattn/go-sqlite3)

Https://github.com/manucorporat/try analyzing this feature can help us predict functionality; by looking at the libraries above, we can see that they will communicate over the network, read the SQLite3 database, and throw exceptions. Other initializers recommend using regular expressions, zip format, and read environment variables. This function is also responsible for initializing and mapping strings. We can see that some of them are decoded by the first base64:

In string initialization, we see a reference to the cryptocurrency wallet. Ethereum:

Monero:

The main function of Golang binaries is to annotate "main_main".

Here, we can see that the application is creating a new directory (using the function os.Mkdir). This is the directory where the files will be copied (found). Since then, several Goroutine have started using runtime.newproc. Goroutines can be used like threads, but they are managed differently. More details can be found at here. These routines are responsible for searching for files. At the same time, the Sqlite module is used to parse the database to steal data. After that, the malware compresses it all into a single package, and finally, the compressed package is uploaded to Category C.

What did you steal?

To see what data the attacker is interested in, we can learn more about the function that executes the SQL query and look at the relevant strings. Strings in Golang are stored in batches in contiguous form:

After that, individual blocks from this batch are retrieved as needed. Therefore, it is not easy to see where in the code where each string is referenced. The following is a snippet from the code that opens the "sqlite3" database (retrieves a string of length 7):

Another example: retrieve this query from a complete string block with a given offset and length:

Let's take a look at the data these queries are trying to get. To get the string referenced by the call, we can retrieve and list all the strings:

Select name_on_card, expiration_month, expiration_year, card_number_encrypted, billing_address_id FROM credit_cardsselect * FROM autofill_profilesselect email FROM autofill_profile_emailsselect number FROM autofill_profile_phoneselect first_name, middle_name, last_name, full_name FROM autofill_profile_names

We can see that the browser's cookie database is queried for data related to online transactions: credit card numbers, expiration dates, and personal data such as names and email addresses. The paths to all searched files are stored as base64 strings. Many of them are related to cryptocurrency wallets, but we can also find references to Telegram.

Software\ Classes\ tdesktop.tg\ shell\ open\ command\ Local\ Yandex\ YandexBrowser\ User Data\\ AppData\ Electrum\ wallets\ default_wallet\ AppData\ Local\ Torch\ User Data\ AppData\ Local\ Uran\ User Data\\ AppData\ Roaming\ Opera Software\ AppData\ Local\ Comodo\ User Data\ AppData\ Local\ Chromium \ User Data\ AppData\\ Local\\ User Data\\ AppData\\ Local\\ Kometa\\ User Data\ AppData\\ Local\\ User Data\\ AppData\ Local\\ Orbitum\\ User Data\\ AppData\ Local\ User Data\\ AppData\\ Local\ Nichrome\ User Data\\ AppData\\ Local\ Vivaldi\ User Data\ AppData\\ Roaming\\ BBQCoin\ wallet.dat\ AppData\ Roaming\ wallet.dat\ AppData\ Roaming\ keystore\ AppData\ Roaming\ Exodus\ seed.seco\ AppData\ Roaming\ Franko\ wallet.dat\ AppData\ Roaming\ IOCoin\ wallet.dat\ Roaming\ Ixcoin\ wallet.dat\ AppData\ Roaming\ Mincoin\ wallet.dat\ AppData\ Roaming\ YACoin\ wallet.dat\ AppData \ Roaming\ Zcash\ wallet.dat\ AppData\ Roaming\ devcoin\ wallet.dat Summary

Some of the concepts used in this malware remind us, such as Evrial,PredatorTheThief and Vidar. It has a similar goal and sends the stolen data to ClearC as a ZIP file. However, there is no evidence that the author of the thief has any connection with these cases. When we look at the implementation and functionality of this malware, it is quite simple. Its large size comes from many statically compiled modules. Maybe this malware is still in the early stages of development-the author may just be learning Go and experimenting with it. We will pay close attention to its development.

At first, analyzing an Golang-compiled application may feel overwhelming because of its large code base and unfamiliar structure. But with the help of the right tools, security researchers can easily navigate the labyrinth because all functions are tagged. Because Golang is a relatively new programming language, we can expect the tools to analyze it to mature over time. Use malware to write about emerging trends that threaten development? It's a little too early. But we know that the awareness of malware written in new languages is very important to our freehuf readers.

The above is all the contents of the article "sample Analysis of malware written in Golang". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.